Aliases

• Mobler (F-Secure)

• W32/Backdoor.NWL (F-Prot)

• W32/Mobler

• Worm.Win32.Mobler.b (Kaspersky)

Characterstrics:When run, this worm creates many copies of itself on the local machine.  It assumes the filename of existing folders, hides system folders, and hides file extensions via Windows policy.  The worm also uses the icon for a standard directory.  This results in copies of the worm that look like folders:

 SympToms:

he worm attempts to close Windows with the following titles.

• Command Prompt
• RegEdit_RegEdit
• Registry Editor
• Windows Firewall
• system Configuration utility
• Run

The following Windows policies are configured:

• NoFind
• NoFolderOptions
• Disableregistrytools
• Disabletaskmgr

The worm copies itself to the WINDOWS SYSTEM directory and a registry run key is created to load the file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "Windows" = C:\WINDOWS\System32\SYSTEM.exe

The worm also copies itself to C:\WINDOWS\svchost.exe and reconfigures the handling of many files to point to itself:

• chmfile
• htmfile
• htmlfile
• inffile
• txtfile
• batfile
• cmdfile
• comfile
• htmlfile
• inffile
• JSFile
• MSCFile
• regfile
• txtfile
• VBSFile

It also reconfigures the handling of many apps to load itself:

• attrib.exe
• del.exe 
• dxdiag.exe 
• explorer.exe 
• reg.exe 
• regedit.exe 
• taskkill.exe

The worm also modifies the WIN.INI file and corresponding registry entry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
  Winlogon "Shell" = Explorer.exe "C:\WINDOWS\svchost.exe"

 Method of Infection:

The worm drops the following files into the WINDOW SYSTEM directory:

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

N/A